Heartbleed the Live Action Monologue

Heartbleed The Live Action Monologue

Just over 40 slides / April 23rd, 2014 Cruft to Content ratio ~1:3

Rights of pictures per copyright holder/creator

Ben Sapiro (CC-BY-SA), 2014 Ben Sapiro (CC-BY-SA), 2014 Ben Sapiro =

@ironfog

Ben Sapiro (CC-BY-SA), 2014 Standard Disclaimer

● My own opinion and views, not that of anyone else (most especially not my employer) ● I’m sorry in advance for whatever I may have done ● I’m sorry for whatever I did in the past ● I didn’t mean it that way (unless that way is correct and good) ● Go make your own informed decisions

Ben Sapiro (CC-BY-SA), 2014 “Looking for a talking head…”

Ben Sapiro (CC-BY-SA), 2014 OpenSSL = ...

… an open-source implementation of the SSL and TLS protocols

Ben Sapiro (CC-BY-SA), 2014 What’s a Heartbeat?

“A HeartbeatRequest message can arrive almost at any time during the lifetime of a connection. Whenever a HeartbeatRequest message is received, it SHOULD be answered with a corresponding HeartbeatResponse message.” - RFC 6520

Ben Sapiro (CC-BY-SA), 2014 CVE-2014-0160

OpenSSL version 1.01(A-E)

Ben Sapiro (CC-BY-SA), 2014 /* Enter response type, length and copy payload */ *bp++ = TLS1_HB_RESPONSE; s2n(payload, bp); memcpy(bp, pl, payload);

User controlled What is not

● It is not a virus ● It is not a flaw in SSL or TLS ● It is not a flaw in any cipher suite ● It does not affect all web sites ● Does not directly impact other software outside of OpenSSL/LibSSL ● It is not an issue with all versions of OpenSSL ● It is not a BoF, ROP or any other voodoo

Ben Sapiro (CC-BY-SA), 2014 XKCD explains

Ben Sapiro (CC-BY-SA), 2014 At least two discoverers of 2 year old vulnerability

@neelmehta of

Ben Sapiro (CC-BY-SA), 2014 A logo & semi-responsible disclosure

Ben Sapiro (CC-BY-SA), 2014 What’s at risk of exposure

● usernames and passwords ● cookie values ● user provided data = {credit card numbers, private information, email addresses} ● encryption keys (maybe) … anything that can be sent to a web server … anything in process memory that includes LibSSL/OpenSSL

Ben Sapiro (CC-BY-SA), 2014 Ben Sapiro (CC-BY-SA), 2014 50% done

Ben Sapiro (CC-BY-SA), 2014 But it’s heap memory

In the OpenSSL heap: ● Copies of the private key (full & partial) ● Moduli of the private key

Ben Sapiro (CC-BY-SA), 2014 Guaranteed exploitable

Ben Sapiro (CC-BY-SA), 2014 What’s at risk of exposure

● usernames and passwords ● cookie values ● user provided data = {credit card numbers, private information, email addresses} ● encryption keys (repeatedly confirmed) … anything that can be sent to a web server … anything in process memory that includes LibSSL/OpenSSL

Ben Sapiro (CC-BY-SA), 2014 Not just your web server

● Load balancers ● VPN gateways ● Routers ● Switches ● VoIP devices ● Multiple web software packages ● Mail gateways ● Managed FTP ● TOR!!! ● Anything that uses OpenSSL/LibSSL <1.01f

Ben Sapiro (CC-BY-SA), 2014 TTT → Time To Tools

● Perl, python, ruby scripts ~ 24 hours ● Metasploit - same day ● Testing websites ~ 24 hours ● Automatic cert stealer (heartleech) ~ 7 days

Ben Sapiro (CC-BY-SA), 2014 This sounds horrible

CVSSv2 = 5??

Ben Sapiro (CC-BY-SA), 2014 This sounds horrible

CVSS V2 scoring evaluates the impact of the vulnerability on the host where the vulnerability is located. When evaluating the impact of this vulnerability to your organization, take into account the nature of the data that is being protected and act according to your organization’s risk acceptance. While CVE- 2014-0160 does not allow unrestricted access to memory on the targeted host, a successful exploit does leak information from memory locations which have the potential to contain particularly sensitive information, e.g., cryptographic keys and passwords. Theft of this information could enable other attacks on the information system, the impact of which would depend on the sensitivity of the data and functions of that system.

Ben Sapiro (CC-BY-SA), 2014 ???

Ben Sapiro (CC-BY-SA), 2014 Your IPS sigs

● Initial logic designed to catch specific tests ● Detection during handshake versus post- handshake ● Flag is outside encrypted payload

Ben Sapiro (CC-BY-SA), 2014 RAW Packet (encrypted payload)

Heartbeat Flag TLS Encrypted Payload version

Length = 80

Decrypted payload

= 1021 Ben Sapiro (CC-BY-SA), 2014 Your logs probably won’t help

● activity won’t show in HTTP logs ● this isn’t an error alert condition (the process doesn’t abend) ● OpenSSL needs to be compiled to enable debug logging ● Mod_SSL default log level is none

Packet captures do help (if you have keying material)

Ben Sapiro (CC-BY-SA), 2014 Fix all the things

1. Patch OpenSSL 2. Patch LibSSL 3. Update firmware or software packages 4. Replace Keys 5. Reset in scope passwords

While you’re at it: 6. Enable Perfect Forward Secrecy 7. Disable weak ciphers

Ben Sapiro (CC-BY-SA), 2014 But wait, there’s more!

● Reverse Heartbleed ● Client side Heartbleed

Heartbleed is not server specific, the RFC for SSL Heartbeats is bi-directional only specifying peers in the session

Ben Sapiro (CC-BY-SA), 2014 Lessons Learned - AppSec/DevSec

1. Don’t rely on user provided length values 2. Length check buffers before copying 3. Static Analysis didn’t catch this 4. Set ASSERTS or equivalent 5. C is powerful, C requires careful handling 6. Code reviews are your friend 7. Don’t invent your own memory management 8. Don’t spray keying material all over process memory

Ben Sapiro (CC-BY-SA), 2014 Lessons Learned - Security & Ops

1. Have a complete system inventory 2. Have a complete software inventory 3. Be able to patch in 24 hours 4. Have (practiced) Incident Response processes 5. Load balancers/reverse proxies might be a good thing 6. You may like your CERT vendor less now

Ben Sapiro (CC-BY-SA), 2014 In summary

● Heartbleed is a vuln with a logo ● It is that bad ● Patch everywhere, replace certs, follow incident response process, reset affected passwords & sessions, start drinking ● Don’t forget your internal systems

Ben Sapiro (CC-BY-SA), 2014 Other takeaways

● Ignore vendors who tell you their product would have detected Heartbleed & Stuxnet ● OpenSSL needs a cleanup, audit & funding ● 19 year old script kiddies need to learn how to use TOR ● 19 year script kiddies shouldn’t annoy the government agency with all the money

Ben Sapiro (CC-BY-SA), 2014 Homework

● Why is Akamai’s patch broken? ● What are Theo De Raadt and the OpenBSD crew up to? ● Checkout the Cloudflare Challenge Ben Sapiro (CC-BY-SA), 2014

Mandatory plug

● Go to www.kpmg.ca/cybersecurity ● Look on the right ● Download “What is Heartbleed?” ● Give to executive/management types More Plugs

Ben Sapiro (CC-BY-SA), 2014 This Slide Unintentionally Blank

Ben Sapiro (CC-BY-SA), 2014 Thank you

This work is licensed under the Creative Commons Attribution- ShareAlike 3.0 Unported License. To view a copy of this license, visit http://creativecommons.org/licenses/by-sa/3.0/ or send a letter to Creative Commons, 444 Castro Street, Suite 900, Mountain View, California, 94041, USA.

Ben Sapiro (CC-BY-SA), 2014 Sorry

Ben Sapiro (CC-BY-SA), 2014